Non-Proprietary Security Policy, Version 1.2
October 27, 2009
Blue Coat ProxySG8100
Page 22 of 24
© 2009 Blue Coat Systems, Inc.
This document may be freely reproduced and distributed whole and intact including this copyright notice.
·
Press <Enter> three times.
·
When the "Welcome to the ProxySG Appliance Setup Console" prompt appears, the system is ready for the
first-time network configuration.
·
The first time configuration sets up the interface number, IP address, IP subnet mask, IP gateway, DNS
server parameters, username, and password.
·
In addition to configuring the Internet Protocol service, the modules FIPS Mode of operation must also be
enabled (default is disabled). Setting FIPS mode to "enabled" ensures that all security functions used are
FIPS Approved. The module will transition to to the FIPS mode when the Cryptographic Officer enters
"fips-mode enable" command via serial port. The entry of this command causes the device to power cycle
and Zeroize the Master Appliance Key. NOTE: This command is only accepted via serial port.
3.1.3
Management
The Crypto-Officer is able to monitor and configure the module via the web interface (HTTPS over TLS), serial
port, or secure telnet (telnet over TLS). Detailed instructions to monitor and troubleshoot the systems are provided
in Blue Coat® Systems Installation Guides mentioned in the Blue Coat® Systems SG8100 Series Installation Guide.
The Crypto-Officer should monitor the module's status regularly. If any irregular activity is noticed or the module
is consistently reporting errors, then Blue Coat Systems customer support should be contacted.
The module can be taken out of FIPS mode using the secure serial setup console only. A CLI command ("fips-
mode") will allow FIPS mode to be enabled or disabled. To ensure that CPSs are not shared across FIPS Approved
mode and Non-Approved mode, any change to FIPS mode parameter will trigger a zeroization of the Master
Appliance Key and force the module to power cycle. The FIPS mode parameter will not be modified until after the
Master Appliance Key and power-cycle has completed.
3.1.4
Zeroization
At the end of its life cycle or when taking the module out of FIPS mode, the module must be fully zeroized to
protect CSPs. When switching between FIPS mode and non-FIPS mode, the module automatically reboot, zeroizing
all the CSPs. The Crypto-Officer must wait until the module has successfully rebooted in order to verify that
zeroization has completed.
3.2 User Guidance
The User does not have the ability to configure sensitive information on the module, with the exception of their
authentication data. Although the User does not have any ability to modify the configuration of the module, they
should report any irregular activity they notice to the Crypto-Officer.